CIPP/E Complete
Study Guide
,Contents
Chapter 1: Data Protection Rationale and Legal Framework 5
Chapter 2: European Union Institutions 9
Institutions Comparison Table 14
Instiuations Diagram 18
Chapter 3: Legislative Framework 19
Data Protection Directive v GDPR v ePrivacy Comparison Table 23
Chapter 4: Data Protection Concepts 25
Chapter 5: GDPR Territorial and Material Scope 29
Chapter 6: Data Processing Principles 32
Data Protection Principles Table 34
Chapter 7: Lawful Processing Criteria 35
Lawful Basis Table 39
Chapter 8: Information Provision Obligations 41
Fair Processing Notices 44
Transparency Obligations Table 47
Chapter 9: Data Subject Rights 48
Data Subject Rights Table 51
Chapter 10: Security of Personal Data 53
Chapter 11: Accountability Requirements 60
Data Protection Officer (DPO) 64
Chapter 12: International Data Transfers under GDPR 67
BCRs v SCCs 70
Chapter 13: Supervision and Enforcement 72
GDPR Fines Table 77
Chapter 14: Employment Relationships 78
Chapter 15: Surveillance Activities 82
Chapter 16: Direct Marketing 85
Marketing under GDPR and ePrivacy Directive: 90
Chapter 17: Internet Technology and Communications 93
GDPR v ePrivacy Application 100
Overview of the ePrivacy Directive 103
Chapter 18: Outsourcing 107
GDPR Article 28 – Processor Requirements Table 110
AI Act 111
Subject Matter, Definition, Scope 111
1
, Understanding Risk in the AI Act 113
Obligations for Non-Providers of High-Risk AI Systems 118
General-Purpose AI Models 120
Governance Structure 123
Assurance 126
Post-Market Monitoring, Information Sharing and Enforcement 128
Regulatory Implementation and EU Digital Strategy 130
AI Act and GDPR Compliance 133
Guidelines 135
Guidelines 136
Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR 136
Guidelines 3/2018 on the Territorial Scope of the GDPR 136
Guidelines 5/2019 on the Criteria of the Right to Be Forgotten in the Search Engines Cases
under the GDPR 137
Guidelines 10/2020 on Restrictions under Article 23 GDPR 137
Guidelines 05/2021 on the Interplay between the Application of Article 3 and the Provisions on
International Transfers as per Chapter V of the GDPR 137
Guidelines 04/2021 on Codes of Conduct as Tools for Transfers 139
Guidelines 2/2018 on Derogations of Article 49 under Regulation 2016/679 139
Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure
Compliance with the EU Level of Protection of Personal Data 139
Guidelines 3/2019 on Processing of Personal Data Through Video Devices 140
Guidelines 8/2020 on the Targeting of Social Media Users 140
Guidelines 01/2021 on Examples Regarding Personal Data Breach Notification 140
Guidelines 01/2022 on Data Subject Rights 141
Guidelines 9/2022 on Personal Data Breach Notification under GDPR 141
Guidelines 03/2022 on Deceptive Design Patterns in Social Media Platform Interfaces: How to
Recognize and Avoid Them 141
Guidelines 05/2022 on the Use of Facial Recognition Technology in the Area of Law
Enforcement 142
Cases 143
ECHR Article 8 Cases 143
Halford v UK (1997) 143
Von Hannover v Germany (2004) 143
Copland v UK (2007) 143
MM v UK (2012) 143
Mosley v UK (2011) 143
2
, EU Data Protection Directive Cases 144
Bodil Lindqvist (2003) 144
Google Spain v AEPD (2014) 144
Weltimmo (2015) 144
Vidal-Hall v Google (2015) 144
Patrick Breyer v Germany (2016) 144
GDPR Cases 145
Soriano v Forensic News (2021) 145
Fashion ID (2019) 145
Lloyd v Google LLC (2021) 145
Schrems & Cross-Border Transfers 145
Schrems I (2015) 145
Schrems II (2020) 145
Privacy & Surveillance Cases 146
Digital Rights Ireland (2014) 146
Tele2 & Tom Watson (2016) 146
Lopez Ribalda v Spain (2019) 146
Big Brother Watch v UK (2021) 146
Appendix A – Flash Cards 147
Chapter 1 148
Chapter 2 149
Chapter 3 150
Chapter 4 151
Chapter 5 152
Chapter 6 153
Chapter 7 154
Chapter 8 155
Chapter 9 156
Chapter 10 157
Chapter 11 158
Chapter 12 159
Chapter 13 160
Chapter 14 161
Chapter 15 162
Chapter 16 163
Chapter 17 164
3
, Chapter 18 165
Appendix B – MindMaps 166
Appendix C - Questions and Answers 167
4
,Chapter 1: Data Protection Rationale and Legal
Framework
1.1 Rationale for Data Protection
In the early 1970s, the rise of computers for processing personal information coincided with
increasing transborder trade, particularly within the European Economic Community (EEC). This
technological progress enabled the development of large-scale data banks, facilitating the
collection, storage, and sharing of personal data across borders.
However, this digital transformation raised serious privacy concerns, especially with international
data transfers that could bypass national safeguards. Existing European privacy and
confidentiality laws proved inadequate for the challenges presented by automated data
processing and cross-border information flows.
New legal standards were necessary to balance the right to privacy with the economic need for
free and secure data exchange.
1.2 Human Rights Law
The right to privacy is recognized as a fundamental human right in the European Union, forming
the foundation of modern data protection laws. International human rights instruments have
reinforced this right across multiple levels.
1.2.1 Universal Declaration of Human Rights
Adopted on December 10, 1948, the Universal Declaration of Human Rights (UDHR) established
core principles of dignity and equality.
Key articles relevant to data protection include:
• Article 12: Protection from arbitrary interference with privacy, family, home, or
correspondence.
• Article 19: Freedom of opinion and expression, which may at times conflict with privacy
rights.
• Article 29(2): Clarifies that individual rights can be limited in order to respect others' rights
and general welfare.
1.2.2 European Convention on Human Rights
The European Convention on Human Rights (ECHR), established in 1950, ensures several
fundamental freedoms, including:
• Right to life
• Prohibition of torture and slavery
• Right to a fair trial
• Respect for private and family life (Article 8)
• Freedom of expression (Article 10)
5
,Article 8 safeguards privacy but permits lawful limitations under strict conditions. Similarly,
Article 10 protects freedom of expression, subject to necessary and proportionate restrictions.
1.3 Early Laws and Regulations
From the late 1960s to the 1980s, several European countries enacted pioneering data protection
laws to regulate how governments and corporations used personal data. Notable leaders in this
space included Austria, Denmark, and Germany, the latter even enshrining data protection in its
Constitution.
The Council of Europe responded by establishing a regulatory framework, starting with:
• Recommendation 509 (1968)
• Resolutions (1973 and 1974)
These early instruments laid out principles for fair and lawful data processing.
1.3.1 OECD Guidelines
In 1980, the Organisation for Economic Co-operation and Development (OECD) published the
Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, seeking to
harmonize global data protection standards.
Key principles include:
• Collection Limitation
• Data Quality
• Purpose Specification
• Use Limitation
• Security Safeguards
• Openness
• Individual Participation
• Accountability
1.3.2 Convention 108
Convention 108, adopted in 1981, became the first legally binding international treaty on data
protection. It required signatory states to incorporate its principles into national law, ensuring a
balanced approach to privacy and cross-border data flows.
Key components:
• Chapter II – Substantive Law Provisions: Ensures fair and lawful processing, purpose
limitation, accuracy, and security. Special categories of data (e.g., racial origin, political
opinions) require additional protection.
• Chapter III – Transborder Data Flows: Article 12 allows free flow of data between
signatories, as long as core data protection principles are respected.
6
, • Chapter IV – Mutual Assistance: Establishes supervisory authorities to promote
compliance and assist individuals in exercising their rights.
1.4 Need for a Harmonised European Approach
Despite Convention 108 and the OECD Guidelines, fragmented national implementations
emerged, threatening both individual rights and seamless international data exchange.
1.4.1 Data Protection Directive (95/46/EC)
To address these discrepancies, the European Commission proposed a harmonization directive,
resulting in Directive 95/46/EC. Its goals were:
• To standardize national laws
• To ensure the protection of individuals' privacy
• To facilitate the free movement of data within the EU
However, inconsistent application among member states led to continued legal uncertainty.
1.4.2 Charter of Fundamental Rights
Proclaimed in 2000, the EU Charter of Fundamental Rights enshrined data protection as a distinct
right:
• Article 8: Emphasizes fair processing, legal basis for data use, individual access rights,
and oversight by independent authorities.
1.5 Treaty of Lisbon
Signed in 2007 and effective from 2009, the Treaty of Lisbon consolidated and strengthened the
EU's institutional framework. Article 16 of the Treaty on the Functioning of the European Union
(TFEU) firmly embedded the right to data protection in EU law, binding both EU institutions and
member states.
1.6 General Data Protection Regulation (GDPR)
Recognizing the shortcomings of the Directive, the EU introduced the General Data Protection
Regulation (GDPR) in 2012, which became enforceable in May 2018.
The GDPR aimed to:
• Strengthen individual rights
• Enhance organizational accountability
• Standardize rules across the EU
• Allow limited national flexibility
It introduced significant penalties for non-compliance, expanded consent requirements, and
broadened data subjects' rights, such as data portability and the right to be forgotten.
1.7 Convention 108+
In 2018, the modernized Convention 108+ was signed, aligning with GDPR principles and updating
the treaty to reflect contemporary data protection challenges.
7
,Key updates include:
• Clearer definitions
• Detailed legal bases for processing
• Stronger security obligations
• Wider scope, applying to both public and private sectors globally
1.8 Related Legislation
1.8.1 Law Enforcement Directive (EU 2016/680)
Adopted alongside the GDPR, this directive harmonizes data protection in law enforcement,
ensuring appropriate safeguards for criminal investigations and prosecutions, while allowing for
national discretion in implementation.
1.8.2 ePrivacy Directive
The ePrivacy Directive regulates the processing of personal data in electronic communications,
including cookies, email marketing, and confidentiality of communications. It is currently under
review to align with the GDPR.
1.9 Brexit
1.9.1 Application of EU Data Protection Law in the UK Post-Brexit
Following Brexit, the UK retained the GDPR as part of its domestic law (referred to as UK GDPR),
with minor amendments. This ensures legal continuity, but also allows the UK to diverge over
time.
1.9.2 Adequacy and Post-Brexit Data Transfers
The UK is now considered a ‘third country’ under EU law. However, the European Commission
granted the UK an adequacy decision, allowing for the continued free flow of personal data—
subject to a sunset clause, meaning the decision will be reviewed in the future.
This chapter lays a comprehensive foundation for understanding the historical evolution, legal
principles, and institutional structures that underpin European data protection law, setting the
stage for deeper exploration in future chapters.
8
, Chapter 2: European Union Institutions
2.1 Background
This chapter discusses the evolution of the European Union (EU) institutions, focusing on the
Treaty of Lisbon and its impact on institutional reform and data protection. The Lisbon Treaty
aimed to enhance the efficiency and democratic legitimacy of the EU, particularly in decision-
making processes and protection of fundamental rights.
2.1.1 Treaty of Lisbon and Institutional Reform
The Treaty of Lisbon amended the EU Treaty and the Treaty on the Functioning of the European
Union (TFEU) to improve decision-making efficiency, particularly after EU enlargement. Key
reforms included:
• Establishment of an institutional framework to promote EU values and ensure policy
consistency across member states.
• Recognition of the European Council and the European Central Bank as formal
institutions empowered to make binding decisions.
The chapter focuses on five main institutions: the European Parliament, European Council,
Council of the European Union, European Commission, and the Court of Justice of the European
Union (CJEU).
2.1.2 Lisbon Treaty and the Protection of Privacy
A major achievement of the Lisbon Treaty was elevating the Charter of Fundamental Rights to the
same legal status as the EU treaties, making its provisions binding on EU institutions and member
states when implementing EU law. Key principles include:
• Article 7: Right to respect for private and family life.
• Article 8: Right to the protection of personal data, including the requirement for
independent supervision and the right of access to and rectification of data.
• Article 41: Right to good administration, including impartiality and the right to be heard.
Debates arose regarding the Charter's applicability, particularly concerning Poland and the UK,
which signed Protocols 7 and 30 limiting its effect. However, the CJEU ruled these opt-outs
ineffective, asserting that the Charter applies fully across all member states when implementing
EU law.
2.2 European Parliament
The European Parliament, defined by the Lisbon Treaty, exercises legislative and budgetary
functions and elects the President of the European Commission.
2.2.1 Rationale and Functions
As the only directly elected EU institution, the Parliament plays a crucial role in:
• Legislative development (in collaboration with the Council).
• Oversight of other EU institutions.
• Representation of EU citizens' interests.
9
Study Guide
,Contents
Chapter 1: Data Protection Rationale and Legal Framework 5
Chapter 2: European Union Institutions 9
Institutions Comparison Table 14
Instiuations Diagram 18
Chapter 3: Legislative Framework 19
Data Protection Directive v GDPR v ePrivacy Comparison Table 23
Chapter 4: Data Protection Concepts 25
Chapter 5: GDPR Territorial and Material Scope 29
Chapter 6: Data Processing Principles 32
Data Protection Principles Table 34
Chapter 7: Lawful Processing Criteria 35
Lawful Basis Table 39
Chapter 8: Information Provision Obligations 41
Fair Processing Notices 44
Transparency Obligations Table 47
Chapter 9: Data Subject Rights 48
Data Subject Rights Table 51
Chapter 10: Security of Personal Data 53
Chapter 11: Accountability Requirements 60
Data Protection Officer (DPO) 64
Chapter 12: International Data Transfers under GDPR 67
BCRs v SCCs 70
Chapter 13: Supervision and Enforcement 72
GDPR Fines Table 77
Chapter 14: Employment Relationships 78
Chapter 15: Surveillance Activities 82
Chapter 16: Direct Marketing 85
Marketing under GDPR and ePrivacy Directive: 90
Chapter 17: Internet Technology and Communications 93
GDPR v ePrivacy Application 100
Overview of the ePrivacy Directive 103
Chapter 18: Outsourcing 107
GDPR Article 28 – Processor Requirements Table 110
AI Act 111
Subject Matter, Definition, Scope 111
1
, Understanding Risk in the AI Act 113
Obligations for Non-Providers of High-Risk AI Systems 118
General-Purpose AI Models 120
Governance Structure 123
Assurance 126
Post-Market Monitoring, Information Sharing and Enforcement 128
Regulatory Implementation and EU Digital Strategy 130
AI Act and GDPR Compliance 133
Guidelines 135
Guidelines 136
Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR 136
Guidelines 3/2018 on the Territorial Scope of the GDPR 136
Guidelines 5/2019 on the Criteria of the Right to Be Forgotten in the Search Engines Cases
under the GDPR 137
Guidelines 10/2020 on Restrictions under Article 23 GDPR 137
Guidelines 05/2021 on the Interplay between the Application of Article 3 and the Provisions on
International Transfers as per Chapter V of the GDPR 137
Guidelines 04/2021 on Codes of Conduct as Tools for Transfers 139
Guidelines 2/2018 on Derogations of Article 49 under Regulation 2016/679 139
Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure
Compliance with the EU Level of Protection of Personal Data 139
Guidelines 3/2019 on Processing of Personal Data Through Video Devices 140
Guidelines 8/2020 on the Targeting of Social Media Users 140
Guidelines 01/2021 on Examples Regarding Personal Data Breach Notification 140
Guidelines 01/2022 on Data Subject Rights 141
Guidelines 9/2022 on Personal Data Breach Notification under GDPR 141
Guidelines 03/2022 on Deceptive Design Patterns in Social Media Platform Interfaces: How to
Recognize and Avoid Them 141
Guidelines 05/2022 on the Use of Facial Recognition Technology in the Area of Law
Enforcement 142
Cases 143
ECHR Article 8 Cases 143
Halford v UK (1997) 143
Von Hannover v Germany (2004) 143
Copland v UK (2007) 143
MM v UK (2012) 143
Mosley v UK (2011) 143
2
, EU Data Protection Directive Cases 144
Bodil Lindqvist (2003) 144
Google Spain v AEPD (2014) 144
Weltimmo (2015) 144
Vidal-Hall v Google (2015) 144
Patrick Breyer v Germany (2016) 144
GDPR Cases 145
Soriano v Forensic News (2021) 145
Fashion ID (2019) 145
Lloyd v Google LLC (2021) 145
Schrems & Cross-Border Transfers 145
Schrems I (2015) 145
Schrems II (2020) 145
Privacy & Surveillance Cases 146
Digital Rights Ireland (2014) 146
Tele2 & Tom Watson (2016) 146
Lopez Ribalda v Spain (2019) 146
Big Brother Watch v UK (2021) 146
Appendix A – Flash Cards 147
Chapter 1 148
Chapter 2 149
Chapter 3 150
Chapter 4 151
Chapter 5 152
Chapter 6 153
Chapter 7 154
Chapter 8 155
Chapter 9 156
Chapter 10 157
Chapter 11 158
Chapter 12 159
Chapter 13 160
Chapter 14 161
Chapter 15 162
Chapter 16 163
Chapter 17 164
3
, Chapter 18 165
Appendix B – MindMaps 166
Appendix C - Questions and Answers 167
4
,Chapter 1: Data Protection Rationale and Legal
Framework
1.1 Rationale for Data Protection
In the early 1970s, the rise of computers for processing personal information coincided with
increasing transborder trade, particularly within the European Economic Community (EEC). This
technological progress enabled the development of large-scale data banks, facilitating the
collection, storage, and sharing of personal data across borders.
However, this digital transformation raised serious privacy concerns, especially with international
data transfers that could bypass national safeguards. Existing European privacy and
confidentiality laws proved inadequate for the challenges presented by automated data
processing and cross-border information flows.
New legal standards were necessary to balance the right to privacy with the economic need for
free and secure data exchange.
1.2 Human Rights Law
The right to privacy is recognized as a fundamental human right in the European Union, forming
the foundation of modern data protection laws. International human rights instruments have
reinforced this right across multiple levels.
1.2.1 Universal Declaration of Human Rights
Adopted on December 10, 1948, the Universal Declaration of Human Rights (UDHR) established
core principles of dignity and equality.
Key articles relevant to data protection include:
• Article 12: Protection from arbitrary interference with privacy, family, home, or
correspondence.
• Article 19: Freedom of opinion and expression, which may at times conflict with privacy
rights.
• Article 29(2): Clarifies that individual rights can be limited in order to respect others' rights
and general welfare.
1.2.2 European Convention on Human Rights
The European Convention on Human Rights (ECHR), established in 1950, ensures several
fundamental freedoms, including:
• Right to life
• Prohibition of torture and slavery
• Right to a fair trial
• Respect for private and family life (Article 8)
• Freedom of expression (Article 10)
5
,Article 8 safeguards privacy but permits lawful limitations under strict conditions. Similarly,
Article 10 protects freedom of expression, subject to necessary and proportionate restrictions.
1.3 Early Laws and Regulations
From the late 1960s to the 1980s, several European countries enacted pioneering data protection
laws to regulate how governments and corporations used personal data. Notable leaders in this
space included Austria, Denmark, and Germany, the latter even enshrining data protection in its
Constitution.
The Council of Europe responded by establishing a regulatory framework, starting with:
• Recommendation 509 (1968)
• Resolutions (1973 and 1974)
These early instruments laid out principles for fair and lawful data processing.
1.3.1 OECD Guidelines
In 1980, the Organisation for Economic Co-operation and Development (OECD) published the
Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, seeking to
harmonize global data protection standards.
Key principles include:
• Collection Limitation
• Data Quality
• Purpose Specification
• Use Limitation
• Security Safeguards
• Openness
• Individual Participation
• Accountability
1.3.2 Convention 108
Convention 108, adopted in 1981, became the first legally binding international treaty on data
protection. It required signatory states to incorporate its principles into national law, ensuring a
balanced approach to privacy and cross-border data flows.
Key components:
• Chapter II – Substantive Law Provisions: Ensures fair and lawful processing, purpose
limitation, accuracy, and security. Special categories of data (e.g., racial origin, political
opinions) require additional protection.
• Chapter III – Transborder Data Flows: Article 12 allows free flow of data between
signatories, as long as core data protection principles are respected.
6
, • Chapter IV – Mutual Assistance: Establishes supervisory authorities to promote
compliance and assist individuals in exercising their rights.
1.4 Need for a Harmonised European Approach
Despite Convention 108 and the OECD Guidelines, fragmented national implementations
emerged, threatening both individual rights and seamless international data exchange.
1.4.1 Data Protection Directive (95/46/EC)
To address these discrepancies, the European Commission proposed a harmonization directive,
resulting in Directive 95/46/EC. Its goals were:
• To standardize national laws
• To ensure the protection of individuals' privacy
• To facilitate the free movement of data within the EU
However, inconsistent application among member states led to continued legal uncertainty.
1.4.2 Charter of Fundamental Rights
Proclaimed in 2000, the EU Charter of Fundamental Rights enshrined data protection as a distinct
right:
• Article 8: Emphasizes fair processing, legal basis for data use, individual access rights,
and oversight by independent authorities.
1.5 Treaty of Lisbon
Signed in 2007 and effective from 2009, the Treaty of Lisbon consolidated and strengthened the
EU's institutional framework. Article 16 of the Treaty on the Functioning of the European Union
(TFEU) firmly embedded the right to data protection in EU law, binding both EU institutions and
member states.
1.6 General Data Protection Regulation (GDPR)
Recognizing the shortcomings of the Directive, the EU introduced the General Data Protection
Regulation (GDPR) in 2012, which became enforceable in May 2018.
The GDPR aimed to:
• Strengthen individual rights
• Enhance organizational accountability
• Standardize rules across the EU
• Allow limited national flexibility
It introduced significant penalties for non-compliance, expanded consent requirements, and
broadened data subjects' rights, such as data portability and the right to be forgotten.
1.7 Convention 108+
In 2018, the modernized Convention 108+ was signed, aligning with GDPR principles and updating
the treaty to reflect contemporary data protection challenges.
7
,Key updates include:
• Clearer definitions
• Detailed legal bases for processing
• Stronger security obligations
• Wider scope, applying to both public and private sectors globally
1.8 Related Legislation
1.8.1 Law Enforcement Directive (EU 2016/680)
Adopted alongside the GDPR, this directive harmonizes data protection in law enforcement,
ensuring appropriate safeguards for criminal investigations and prosecutions, while allowing for
national discretion in implementation.
1.8.2 ePrivacy Directive
The ePrivacy Directive regulates the processing of personal data in electronic communications,
including cookies, email marketing, and confidentiality of communications. It is currently under
review to align with the GDPR.
1.9 Brexit
1.9.1 Application of EU Data Protection Law in the UK Post-Brexit
Following Brexit, the UK retained the GDPR as part of its domestic law (referred to as UK GDPR),
with minor amendments. This ensures legal continuity, but also allows the UK to diverge over
time.
1.9.2 Adequacy and Post-Brexit Data Transfers
The UK is now considered a ‘third country’ under EU law. However, the European Commission
granted the UK an adequacy decision, allowing for the continued free flow of personal data—
subject to a sunset clause, meaning the decision will be reviewed in the future.
This chapter lays a comprehensive foundation for understanding the historical evolution, legal
principles, and institutional structures that underpin European data protection law, setting the
stage for deeper exploration in future chapters.
8
, Chapter 2: European Union Institutions
2.1 Background
This chapter discusses the evolution of the European Union (EU) institutions, focusing on the
Treaty of Lisbon and its impact on institutional reform and data protection. The Lisbon Treaty
aimed to enhance the efficiency and democratic legitimacy of the EU, particularly in decision-
making processes and protection of fundamental rights.
2.1.1 Treaty of Lisbon and Institutional Reform
The Treaty of Lisbon amended the EU Treaty and the Treaty on the Functioning of the European
Union (TFEU) to improve decision-making efficiency, particularly after EU enlargement. Key
reforms included:
• Establishment of an institutional framework to promote EU values and ensure policy
consistency across member states.
• Recognition of the European Council and the European Central Bank as formal
institutions empowered to make binding decisions.
The chapter focuses on five main institutions: the European Parliament, European Council,
Council of the European Union, European Commission, and the Court of Justice of the European
Union (CJEU).
2.1.2 Lisbon Treaty and the Protection of Privacy
A major achievement of the Lisbon Treaty was elevating the Charter of Fundamental Rights to the
same legal status as the EU treaties, making its provisions binding on EU institutions and member
states when implementing EU law. Key principles include:
• Article 7: Right to respect for private and family life.
• Article 8: Right to the protection of personal data, including the requirement for
independent supervision and the right of access to and rectification of data.
• Article 41: Right to good administration, including impartiality and the right to be heard.
Debates arose regarding the Charter's applicability, particularly concerning Poland and the UK,
which signed Protocols 7 and 30 limiting its effect. However, the CJEU ruled these opt-outs
ineffective, asserting that the Charter applies fully across all member states when implementing
EU law.
2.2 European Parliament
The European Parliament, defined by the Lisbon Treaty, exercises legislative and budgetary
functions and elects the President of the European Commission.
2.2.1 Rationale and Functions
As the only directly elected EU institution, the Parliament plays a crucial role in:
• Legislative development (in collaboration with the Council).
• Oversight of other EU institutions.
• Representation of EU citizens' interests.
9
